General Information

Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt. More information on this is available in the FAQ section of this bulletin.

Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 2000, Windows XP, and Windows Server 2003 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed.

A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.

An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

Mitigating factors:

Messages are delivered to the Messenger service via NetBIOS or RPC. If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports. Most firewalls, including Internet Connection Firewall in Windows XP, block NetBIOS by default.

Disabling the Messenger Service will prevent the possibility of attack.

On Windows Server 2003 systems, the Messenger Service is disabled by default.

Severity Rating:

Windows NT

Critical

Windows Server NT 4.0 Terminal Server Edition

Critical

Windows 2000

Critical

Windows XP

Critical

Windows Server 2003

Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

Run the Network Setup Wizard. To access this wizard, point to Control Panel, double-click Network and Internet Connections, and then click Setup or change your home or small office network.

The Internet Connection Firewall is enabled when you choose a configuration in the wizard that indicates that your computer is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection:

In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.

Right-click the connection on which you would like to enable ICF, and then click Properties.

On the Advanced tab, click the box to select the option to Protect my computer or network.

If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.

Disable the Messenger Service

Disabling the messenger service will prevent the possibility of an attack. You can disable the messenger service by performing the following:

Click Start, and then click Control Panel (or point to Settings, and then click Control Panel).

Double-click Administrative Tools.

Double-click Services.

Double-click Messenger.

In the Startup type list, click Disabled.

Click Stop, and then click OK.

Impact of Workaround: If the Messenger service is disabled, messages from the Alerter service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log.

Why is Microsoft reissuing this security update? Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt.

What version of Windows does this update apply to? The only version of Windows affected by this specific issue is Windows XP.

What is the %systemroot%\system32\dllcache? The %systemroot%\system32\dllcache or "dll cache", is used by the Windows File Protection Feature which prevents programs from replacing critical Windows system files. If a critical Windows system file is deleted or becomes corrupt, the system replaces the file with a correct version from the "dll cache".

What is the Windows File Protection Feature? Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. For more information on WFP and how it works, see Microsoft Knowledge Base article http://support.microsoft.com?kbid=222193

What are the ramifications of not having the updated version of wkssvc.dll copied to the dll cache? If the updated version of the file wkssvc.dll (or any critical Windows system files) is not copied into the dll cache at the same time as the security update is applied to the system, the system is still protected from the vulnerability.However, if that file is ever deleted or becomes corrupt, WFP will seek to replace the deleted or corrupt file with the version currently available in the dll cache. In this case, the version of wkssvc.dll available would be older than the version which corrects the security vulnerability described in this bulletin. The effect of this would be that the system is returned to an insecure state, and the security update would need to be reinstalled.

If the wkssvc.dll file is inadvertently reverted to the version available prior to this update, will Windows Update notice that my system is no longer protected, and prompt me to install this critical update again?Yes. Windows Update will recognize that the file version now residing on the system is not the most current version, and you will be prompted to reinstall the security update.

I don't use Windows Update. If the wkssvc.dll file was inadvertently reverted to the version available prior to this update, would I be able to manually reinstall the update?Yes. The installer technology used by Microsoft will detect that the file version now residing on the system is not the most current version, and you will be able to successfully reinstall the security update.

Even with the original version of the wkssvc.dll-- .1301--, am I still secure?Yes, the original version of wkssvc.dll will protect you unless it gets corrupted and is replaced with an unpatched version of the file from the dll cache, as described above.

Will the Microsoft Baseline Security Analyzer (MBSA) detect that I have the older version of wkssvc.dll installed on my Windows XP system?Yes. The Microsoft Baseline Security Analyzer (MBSA) will detect that the version of the wkssvc.dll file on the system is not the most current version, and prompt you to reinstall the updated version.

MBSA is showing me as insecure even though the older version of the wkssvc.dll does protect me. How can I make MBSA stop showing me as unpatched? The only way to prevent MBSA from showing the system as unprotected is to reinstall MS03-043.

I'm not sure which version of the wkssvc.dll I need to have installed on my Windows XP system in order to receive the security update, and be confident that the wkssvc.dll file also was copied into the dll cache. Which version do I need?If you are running Windows XP, the correct version of the wkssvc.dll file which is also copied into the dll cache is 5.1.2600.1309. If you still have the version ending in .1301, you should reinstall the security update.

Why has Microsoft reissued this bulletin?Subsequent to the release of this bulletin and the associated patches, a problem was identified with the Windows 2000, Windows XP, and Windows Server 2003 versions of the patch. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed.Microsoft has corrected this problem and re-issued this bulletin on October 29th, 2003 to advise on the availability of an updated Windows 2000, Windows XP, and Windows Server 2003 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. If you have previously applied this security patch, this update does not need to be installed.

What's the scope of the vulnerability?This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

What is the Windows Messenger Service?The Messenger service is a Windows service that transmits net send messages and messages that are sent through the Alerter service between client computers and servers. For example, the Messenger service can be used by network administrators to send administrative alerts to network users. The Messenger service can also be used by Windows and other software programs. For example, Windows may use it to inform you when a print job is completed or when you lose power to your computer and switch to a Uninterruptible Power Supply (UPS). The Messenger service is not related to your Web browser, e-mail program, Windows Messenger, or MSN Messenger.

What causes the vulnerability?The vulnerability results because of an unchecked buffer in the Messenger Service. If exploited, an attacker could gain Local System privileges on an affected system, or cause the service to fail.

Is the Messenger Service the same thing as Windows Messenger or MSN Messenger?No. It's important to note that the Messenger Service is not the same thing as Windows Messenger or MSN Messenger. Windows Messenger (http://messenger.microsoft.com) and MSN Messenger (http://messenger.msn.com) are instant messaging services that allow users to converse, share pictures, video, etc. In contrast, the Messenger service (http://support.microsoft.com/default.aspx?scid=KB;EN-US;168893&) is a simple text-only broadcast service that's typically used by administrators to send alerts to users, and warn them of pending outages, server maintenance, etc.

What's wrong with the Messenger Service?The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.

What could this vulnerability enable an attacker to do?An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

How could an attacker exploit this vulnerability?An attacker could seek to exploit this vulnerability by creating a specially crafted message and sending it to the Messenger Service on an affected system.

What does the patch do?The patch eliminates the vulnerability by insuring that the Messenger Service properly validates the length of a message before passing it to the allocated buffer.

For information about the specific security patch for your platform, click the appropriate link:

Windows Server 2003 (all versions)

Prerequisites

This security patch requires a released version of Windows Server 2003.

Inclusion in future service packs:

The fix for this issue will be included in Windows Server 2003 Service Pack 1.

Installation Information:

This security patch supports the following Setup switches:

/help Displays the command line options

Setup Modes

/quiet Quiet mode (no user interaction or display)

/passive Unattended mode (progress bar only)

/uninstall Uninstalls the package

Restart Options

/norestart Do not restart when installation is complete

/forcerestart Restart after installation

Special Options

/l Lists installed Windows hotfixes or update packages

/o Overwrite OEM files without prompting

/n Do not backup files needed for uninstall

/f Force other programs to close when the computer shuts down

Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windowsserver2003-kb828035-x86-enu /passive /quiet

To install the patch without forcing the computer to restart, use the following command line:

Windowsserver2003-kb828035-x86-enu /norestart

Note: These switches can be combined in one command line.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.

Windows XP (all versions)

Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.

Prerequisites:

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windowsxp-kb828035-x86-enu /passive /quiet

To install the patch without forcing the computer to restart, use the following command line:

Windowsxp-kb828035-x86-enu /norestart

Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package

The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

The fix for this issue will be included in Windows 2000 Service Pack 5.

Installation Information:

This security patch supports the following Setup switches:

/help Displays the command line options

Setup Modes

/quiet Quiet mode (no user interaction or display)

/passive Unattended mode (progress bar only)

/uninstall Uninstalls the package

Restart Options

/norestart Do not restart when installation is complete

/forcerestart Restart after installation

Special Options

/l Lists installed Windows hotfixes or update packages

/o Overwrite OEM files without prompting

/n Do not backup files needed for uninstall

/f Force other programs to close when the computer shuts down

Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.

Deployment Information

To install the patch without any user intervention, use the following command line:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Date

Time

Version

Size

File Name

02-Oct-2003

21:17

5.00.2195.6861

34,064

Msgsvc.dll

02-Oct-2003

21:17

5.00.2195.6861

96,528

Wkssvc.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB828035$ folder. The utility supports the following Setup switches:

/y: Perform removal (only with /m or /q).

/f: Force programs to quit during the shutdown process.

/n: Do not create an Uninstall folder.

/z: Do not restart when update completes.

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).

/m: Use Unattended mode with a user interface.

/l: List the installed hotfixes.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT 4.0:

Date

Time

Version

Size

File Name

02-Oct-2003

13:28

4.0.1381.7236

39,184

Msgsvc.dll

14-Apr-2003

15:45

4.0.1381.7215

80,784

Mup.sys

10-Jun-2003

13:41

4.0.1381.7220

256,272

Netapi32.dll

02-Oct-2003

13:28

4.0.1381.7236

60,688

Wkssvc.dll

Windows NT Server 4.0, Terminal Server Edition:

Date

Time

Version

Size

File Name

02-Oct-2003

13:45

4.0.1381.33553

44,816

Msgsvc.dll

22-Jan-2002

23:50

4.0.1381.33522

82,224

Mup.sys

28-Aug-2001

01:57

4.0.1381.33478

255,760

Netapi32.dll

02-Oct-2003

13:44

4.0.1381.33553

60,688

Wkssvc.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

V2.2 November 14, 2003: Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt. More information on this is available in the FAQ section of this bulletin. Caveats section has been updated to include new information relevant to NT 4.0 clients.